Object specific permissions
- Blair McKenzie
- Geoff Bowers
Introduction
Object specific permissions are permissions that apply to each instance of a type. Navigation is an example of this: you can deny view access to a part of your website simply by changing the permissions for that Navigation item in the site tree.
With the refactoring of security in the Fortress release it is much easier to extend or modify the security model. One of the newer features is that it is now possible to add object specific permissions - that is restrict actions on a specific content objects to specific roles.
Revisiting permission classes
As of FarCry 5.0 there are 4 permission classes. Some of these overlap in the way they are represented in the database but have different effects.
Class |
Description |
Management location |
|---|---|---|
Webskin |
Defines the webskins that a role can access. |
By editing a role |
Type |
Defines the actions a role can perform across a type. i.e. a contributor can edit news but not approve it, a publisher can do anything with news |
By editing a role |
Object |
Defines the actions a role can perform on a specific object. By default only dmNavigation objects have these. |
From site tree: right-click -> Manage permissions, from Overview -> Miscellaneous -> Manage permissions. ManagePermissions permission is needed to access this functionality. |
General |
Arbitrary flags that are accessed at specific points in the code. e.g. webtop menu permissions |
By editing a role |
COAPI / database schema
Object specific permissions are stored in the farBarnacle type.
Property |
Type |
Description |
|---|---|---|
roleid |
uuid |
The role this grant/deny flag is for |
permissionid |
uuid |
The permission this flag is for |
referenceid |
uuid |
The object this flag is for |
objecttype |
string |
The type of the object this flag is for |
barnaclevalue |
-1:Deny,0:Inherit,1:Grant |
The value of the permission. The default value is 0 (inherit), but for non-hierarchical types (category and navigation) this is equivilent to deny. |
If you use setData the objecttype field will be populated and the security cache updated automatically.
Example: Adding object permissions to dmFile
Step 1: Extending farBarnacle
The types that can have object permissions is defined by the Barnacle type. The referenceid property contains which object the "Barnacle" is attached to. By extending farBarnacle and changing the ftJoin metadata attribute we can add dmFile to the system.
<cfcomponent displayname="Barnacle" hint="Used to grant an item specific permissions." extends="farcry.core.packages.types.farBarnacle" output="false"> <cfproperty name="referenceid" type="uuid" default="" hint="The object this barnacle is attached to" ftSeq="3" ftFieldset="" ftLabel="Object" ftType="uuid" ftJoin="dmNavigation,dmFile" /> </cfcomponent>
Step 2: Defining the permission
Now we need to flag a specific permission as being an object permission for dmFile. You can create your own, but I just want to restrict access restrictions, so I'm going to use View.
Go to Webtop -> Security -> Permissions and find the View permission. You'll recognize the one we want because it will already be joined onto the dmNavigation type. You should see something like this:
In the "Join on" list select File as well, and save. Make sure you don't unselect Navigation as this would screw up site tree permissions.
Step 3: Reload security
At this point it is a good idea to clear the security cache. You can do this either with the updateapp=1 flag in the url, or by going to Webtop -> Admin -> Reload application, selecting Security, and clicking Update Application.
You have now set up file by file restrictions.
Step 4: Managing the permissions
If you try to access files you have set up in your application you will now get a message saying "You have been denied access to this item". This is the default response when a user is viewing an object or webskin without permission.
The object permission model is default-deny. If a type has an object permission attached set up, but specific objects don't have Grant applied to them, even the System Administrator won't be able to access them.
To grant access to a file, open the Overview for the file: Webtop -> Content -> Media Library -> Media Library Files, and chose Overview from the action dropdown.
Open the Manage permissions page: Miscellaneous -> Manage permissions.
You can now change the View permissions on this file for each role. Grant your own role the View permission, and attempt to view the file again.
Success!